[Dnsmasq-discuss] Announce: security and release of dnsmasq-2.83.
Geert Stappers
stappers at stappers.nl
Wed Jan 20 21:07:07 UTC 2021
On Tue, Jan 19, 2021 at 11:50:46AM +0000, Simon Kelley wrote:
> Dnsmasq 2.83 is now available from
>
> https://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.83.tar.gz
>
> The main focus in this release is security fixes for a some newly
> announced flaws. See
>
> https://www.jsof-tech.com/disclosures/dnspooq
> for the details.
Qouting that URL:
The origin of the name DNSpooq is a merge of 3 elements: DNS spoofing,
the idea of a spook spying on Internet traffic, and the ‘q’ at the
end of dnsmasq, replacing the ‘k’ of spook with a ‘q’. The spy
or spook graphic illustrates the effects of an effective DNS spoofing
on the ability to spy on internet traffic.
> There are broadly two sets of problems. The first is subtle errors in
> dnsmasq's protections against the chronic weakness of the DNS protocol
> to cache-poisoning attacks; the Birthday attack, Kaminsky, etc. The
> code is now as secure as it can be, given that the real solution to
> this is DNSSEC, both endpoint validation and domains actually signing.
> This is covered by CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686.
>
> Unfortunately, given the above, the second set of errors is a good old
> fashioned buffer overflow in dnsmasq's DNSSEC code. If DNSSEC validation
> is enabled, an installation is at risk. This is covered by
> CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687.
>
> Many, many people have worked over a considerable period to find these
> problems, fix them, and co-ordinate the security response. They are
> named in JSOF's disclosure, but special mention should go to
> Shlomi Oberman, Vijay Sarvepilli, Petr Menšík, and Dan Schaper.
>
>
> Cheers,
> Simon.
>
Thanks
Regards
Geert Stappers
--
Silence is hard to parse
More information about the Dnsmasq-discuss
mailing list